Skip to content

Latest commit

 

History

History
451 lines (306 loc) · 15.7 KB

ch02.asciidoc

File metadata and controls

451 lines (306 loc) · 15.7 KB

Elliptic Curves

In this chapter we’re going to learn about Elliptic Curves. In the [chapter_elliptic_curve_cryptography], we will combine Elliptic Curves with Finite Fields to make Elliptic Curve Cryptography.

As in the [chapter_finite_fields], Elliptic Curves can look intimidating if you haven’t seen them before. Also as in [chapter_finite_fields], the actual math isn’t very difficult. Most of Elliptic Curves could have been taught to you after Algebra. In this chapter, we’ll get to what these curves are and what we can do with them.

Definition

Elliptic Curves are like many equations you’ve been seeing since pre-Algebra. They have y on one side and x on the other in some form. Elliptic Curves have a form like this:

y2=x3+ax+b

You’ve worked with other equations that look similar. For example, you probably learned the linear equation back in pre-Algebra:

y = mx + b

You may even remember that m here has the name slope and b, y-intercept. You can also graph linear equations like Linear Equation:

Linear Equation
Figure 1. Linear Equation

Similarly, you’re probably familiar with the quadratic equation and its graph (Quadratic Equation):

y = ax2+bx+c

Quadratic Equation
Figure 2. Quadratic Equation

And sometime around Algebra, you did even higher orders of x, something called the cubic equation and its graph (Cubic Equation):

y = ax3+bx2+cx+d

Cubic Equation
Figure 3. Cubic Equation

An Elliptic Curve isn’t all that different. The only real difference between the Elliptic Curve and the cubic curve above is the y2 term on the left side. This has the effect of making the graph symmetric over the x-axis, shown in Continuous Elliptic Curve:

Elliptic Curve Equation
Figure 4. Continuous Elliptic Curve

The Elliptic Curve is also less steep than the cubic curve. Again, this is because of the y2 term on the left side. At times, the curve may even be disjoint like Disjoint Elliptic Curve:

Elliptic Curve Equation
Figure 5. Disjoint Elliptic Curve

If it helps, an Elliptic Curve can be though of as taking a cubic equation graph (Step 1: A Cubic Equation), taking only the part above the x-axis, flattening it out (Step 2: Stretched Cubic Equation) and then mirroring the top half on the bottom half of the x-axis (Step 3: Reflected over the X-Axis).

Start
Figure 6. Step 1: A Cubic Equation
Stretch
Figure 7. Step 2: Stretched Cubic Equation
Symmetric
Figure 8. Step 3: Reflected over the X-Axis

Specifically, the Elliptic Curve used in Bitcoin is called secp256k1 and it uses this particular equation:

y2=x3+7

The canonical form is y2=x3+ax+b so the curve is defined by the constants a=0, b=7. The curve looks like secp256k1 Curve:

secp256k1 Curve
Figure 9. secp256k1 Curve

Coding Elliptic Curves in Python

For a variety of reasons which will be made clear later, we are not interested in the curve itself, but specific points on the curve. For example, in the curve y2=x3+5x+7, we are interested in the coordinate (-1,1). We are thus going to define the class Point to be a point on a specific curve. The curve has the form y2=x3+ax+b, so we can define the curve with just the two numbers a and b.

link:code-ch02/ecc.py[role=include]
  1. We check here that the point is actually on the curve.

  2. Points are equal if and only if they are on the same curve and have the same coordinates

We can now create Point objects, and we will get an error if the point is not on the curve:

link:code-ch02/examples.py[role=include]

In other words, init will raise an exception when the point is not on the curve.

Point Addition

Elliptic Curves are useful because of something called Point Addition. Point Addition is where we can do an operation on two of the points on the curve and get a third point, also on the curve. This is called "addition" because the operation has a lot of the intuitions we associate with what we call "addition". For example, Point Addition is commutative. That is, adding point A to point B is the same as adding point B to point A.

The way we define Point Addition is as follows. It turns out that for every Elliptic Curve, a line will intersect it at either 1 point (Line intersects at only 1 point) or 3 points (Line intersects at 3 points), except for a couple of special cases.

Line intersecting at 1 point
Figure 10. Line intersects at only 1 point
Line intersecting at 3 points
Figure 11. Line intersects at 3 points

The two exceptions are when a line is tangent to the curve (Line intersects at 2 points because it’s tangent to the curve) and when a line is exactly vertical (Line intersects at 2 points because it’s vertical).

Vertical Line
Figure 12. Line intersects at 2 points because it’s vertical
Tangent Line
Figure 13. Line intersects at 2 points because it’s tangent to the curve

We will come back to these two cases later.

We can define point addition using the fact that lines intersect one or three times with the Elliptic Curve. Two points define a line, so since that line must intersect the curve at some point one more time. That third point reflected over the x-axis is the result of the point addition.

Like Finite Field Addition, we are going to define point addition. In our case, point addition is defined this way:

For any two points P1=(x1,y1) and P2=(x2,y2), we get P1+P2 by:

  • Find the point intersecting the Elliptic Curve a third time by drawing a line through P1 and P2

  • Reflect the resulting point over the x-axis

Visually, it looks like Point Addition:

Point Addition
Figure 14. Point Addition

We first draw a line through the two points we’re adding (A and B). The third intersection point is C. We then reflect that point over the x-axis, which puts us at the A+B point in Point Addition.

One of the properties that we are going to use is that point addition is not easily predictable. We can calculate point addition easily enough with a formula, but intuitively, the result of point addition can be almost anywhere given two points on the curve. Going back to Point Addition, A+B is to the right of both points, A+C would be somewhere between A and C on the x-axis, and B+C would be to the left of both points. In mathematics parlance, point addition is non-linear.

Math of Point Addition

"Addition" in the name Point Addition satisfies certain properties that we think of as addition, such as:

  • Identity

  • Commutativity

  • Associativity

  • Invertibility

Identity here means that there’s a zero. That is, there exists some point (I) which when added to a point (A) results in A. We’ll call this point the point at infinity (reasons for this will become clear in a bit). That is:

I + A = A

This is also related to invertibility. For some point A, there’s some other point -A which results in the Identity point. That is:

A + (-A) = I

Visually, these are points opposite the x-axis on the curve (see Vertical Line Intersection).

Vertical Line
Figure 15. Vertical Line Intersection

This is why we call this point the point at infinity. We have one extra point in the Elliptic Curve which makes the vertical line intersect the curve a third time.

Commutativity means that A+B=B+A. This is obvious since the line going through A and B will intersect the curve a third time in the same place no matter the order.

Associativity means that (A+B) + C = A + (B+C). This isn’t obvious and is the reason for flipping over the x-axis.

Case 1
Figure 16. (A+B)+C
Case 2
Figure 17. A+(B+C)

You can see that in both (A+B)+C and A+(B+C), the final point is the same. While this doesn’t prove the associativity of point addition, the visual should at least give you the intuition that this is true.

To code point addition, we’re going to split it up into 3 steps:

  1. Where the points are in a vertical line or using the Identity.

  2. Where the points are not in a vertical line, but are different.

  3. Where the two points are the same.

Coding Point Addition

We first handle the identity, or the point at infinity. Since we can’t easily use infinity in Python, we’ll use the None value instead. What we want is this to work:

link:code-ch02/examples.py[role=include]

In order to make this work, we have to do two things:

First, we have to adjust the init method slightly so it doesn’t check that the curve equation is satisfied when we have the point at infinity. Second, we have to overload the addition operator or add as we did with the FieldElement class.

class Point:

    def __init__(self, x, y, a, b):
        self.a = a
        self.b = b
        self.x = x
        self.y = y
link:code-ch02/ecc.py[role=include]
        if self.y**2 != self.x**3 + a * x + b:
            raise ValueError('({}, {}) is not on the curve'.format(x, y))

link:code-ch02/ecc.py[role=include]
  1. x-coordinate and y-coordinate being None is how we signify the point at infinity. Note that the next if statement will fail if we don’t return here.

  2. We overload the + operator here

  3. self.x being None means that self is the point at infinity, or the additive identity. Thus, we return other

  4. self.x being None means that other is the point at infinity, or the additive identity. Thus, we return self

Point Addition for when x1≠x2

Now that we’ve covered the vertical line, we’re now proceeding to when the points are different. When we have points where the `x’s differ, we can add using a fairly simple formula. To help with intuition, we’ll first find the slope created by the two points. You can figure this out using a formula from pre-Algebra:

  • P1=(x1,y1), P2=(x2,y2), P3=(x3,y3)

  • P1+P2=P3

  • s=(y2-y1)/(x2-x1)

This is the slope and we can use the slope to calculate x3. Once we know x3, we can calculate y3. P3 can be derived using this formula:

  • x3=s2-x1-x2

  • y3=s(x1-x3)-y1

Remember that y3 is the reflection over the x-axis.

Deriving The Point Addition Formula

Supposing:

  • P1=(x1,y1), P2=(x2,y2), P3=(x3,y3)

  • P1 + P2 = P3

We want to know what P3 is.

Let’s start with the fact that the line that goes through P1 and P2 has this formula:

  • s=(y2-y1)/(x2-x1)

  • y=s(x-x1)+y1

The second formula above is the equation of the line that intersects at both P1 and P2. Now using this formula and plugging it into the Elliptic Curve equation, we get:

  • y2=x3+ax+b

  • y2=(s(x-x1)+y1)2=x3+ax+b

Gathering all the terms, we have this polynomial equation:

  • x3-s2x2+(a+2s2x1-2sy1)x+b-x12+2sx1y1-y12=0

We also know that x1, x2 and x3 are solutions to this equation, thus:

  • (x-x1)(x-x2)(x-x3)=0

  • x3-(x1+x2+x3)x2 +(x1x2+x1x3+x2x3)x-x1x2x3=0

From above, we know that:

  • x3-s2x2+(a+2s2x1-2sy1)x+b-x12+2sx1y1-y12=0

There’s a result from called the Vieta’s Formula (https://en.wikipedia.org/wiki/Vieta%27s_formulas), which states that the coefficients have to equal each other if the roots are the same. The first coefficient that’s interesting is the coefficient in front of x2:

-s2=-(x1+x2+x3)

We can use this to derive the formula for x3:

x3=s2-x1-x2

We can plug this in to the formula for the line above:

y=s(x-x1)+y1

But we have to reflect over the x-axis, so the right side has to be negated:

y3=-(s(x3-x1)+y1)=s(x1-x3)-y1

QED

Coding Point Addition for when x1≠x2

We now code this into our library. That means we have to adjust the add method to handle the case where x1≠x2. We have the formulas:

  • s=(y2-y1)/(x2-x1)

  • x3=s2-x1-x2

  • y3=s(x1-x3)-y1

At the end of the method, we return an instance of the class Point using self.class to make subclassing easier..

Point Addition for when P1=P2

When the x coordinates are the same and the y coordinate is different, we have the situation where the points are opposite each other over the x-axis. We know that this means:

P1=-P2 or P1+P2=I

We’ve already handled this in Exercise 3.

What happens when P1=P2? Visually, we have to calculate the line that’s tangent to the curve at P1 and find the point at which the line intersects the curve. The situation looks like this as we saw before (see Line that’s tangent to the curve):

Tangent Line
Figure 18. Line that’s tangent to the curve

Once again, we’ll find the slope of the tangent point.

  • P1=(x1,y1), P3=(x3,y3)

  • P1+P1=P3

  • s=(3x12+a)/(2y1)

The rest of the formula goes through as before, except x1=x2, so we can combine them:

  • x3=s2-2x1

  • y3=s(x1-x3)-y1

Note
Deriving the Slope Tangent to the Curve

We can derive the slope of the tangent line using some slightly more advanced math: calculus. We know that the slope at a given point is

dy/dx

To get this, we need to take the derivative of both sides of the Elliptic Curve equation:

y2=x3+ax+b

Taking the derivative of both sides, we get:

2y dy=(3x2+a) dx

Solving for dy/dx, we get:

dy/dx=(3x2+a)/(2y)

That’s how we arrive at the slope formula. The rest of the results from the point addition formula derivation hold.

Coding Point Addition for when P1=P2

We adjust the add method to account for this particular case. We have the formulas, we now implement them.

  • s=(3x12+a)/(2y1)

  • x3=s2-2x1

  • y3=s(x1-x3)-y1

Coding One More Exception

There is one more exception and this involves the case where the tangent line is vertical (Vertical and Tangent to the curve):

Tangent Vertical
Figure 19. Vertical and Tangent to the curve

This can only happen if P1=P2 and the y-coordinate is 0, in which case the slope calculation will end up with a 0 in the denominator.

We handle this with a special case:

class Point:
    ...
    def __add__(self, other):
    	...
	if self == other and self.y == 0 * self.x:  # (1)
	    return self.__class__(None, None, self.a, self.b)
  1. If the two points are equal and the y coordinate is zero, we return the point at infinity.

Conclusion

We’ve covered what Elliptic Curves are, how they work and how to do point addition. We now combine the concepts from [chapter_finite_fields] and Elliptic Curves to learn Elliptic Curve Cryptography in [chapter_elliptic_curve_cryptography].